Fayetteville exposed hundreds of Social Security numbers in crime mapping database

The city of Fayetteville exposed Social Security numbers and other personal information from more than five years of police reports in an online crime mapping database accessible to the public.

The city took the database offline late Friday evening after The News & Observer notified police officials of the issue. It’s unclear how long the information — which contained tens of thousands of detailed officer narratives dating back to 2016 — was publicly available or how many users accessed it before it was removed.

Among the data was hundreds of Social Security numbers and credit card numbers, as well as drivers’ license numbers and other personally identifiable information of witnesses, victims and the accused alike, all a rich target for identity thieves.

State law prohibits government workers from intentionally publishing Social Security numbers, financial information and other specific personal identifying information. Some information contained in the database, like drivers’ license numbers and social media screen names, is not explicitly barred from release by law.

In a statement Friday night, Fayetteville Police Chief Gina Hawkins said her agency was investigating the cause of the issue.

But beyond that statement, the department as of Tuesday morning has not released additional details or answered questions about the incident, including how many people may have obtained the data and whether victims of the exposure will be notified.

Beth Gargan, a spokesperson with the N.C. Department of Information Technology, confirmed Monday that the circumstances of the data exposure met the definition of a “cyber incident” under state law, requiring the police department to report details to state cybersecurity officials. That hadn’t happened as of Monday afternoon, Gargan said.

“We are not aware of whether a cyber incident has occurred in Fayetteville,“ Gargan said in an email.

Access to the police report data was possible through the city’s use of ArcGIS, a popular commercial platform for hosting, sharing and visualizing map data. Other public agencies, like the N.C. Department of Health and Human Services, use ArcGIS to share data with the public — for example, COVID statistics by zip code. And Fayetteville published other public data there too, like the location of parks and city council districts.

ArcGIS uses a standardized system that allows common software, including Web browsers, to request data that powers maps and other applications. It’s what feeds the Fayetteville Police Department’s public crime mapping site.

The data containing Social Security numbers and other personal information was not available as a point-and-click download. But until it was taken down Friday evening, anyone with a little technical know-how could use software to request data from that publicly accessible system, allowing them to obtain Fayetteville police incident reports and the detailed narratives they contain.

As of Tuesday morning, the police department’s crime map no longer loaded any data. The city’s other ArcGIS datasets were offline as well.

Not all of the police report information exposed publicly was problematic.

An N&O review of the full dataset shows almost 400,000 entries dating back to 2007, about 75% of which contain no narrative or supplemental details — just dates, incident addresses and descriptions of alleged offenses. That’s the kind of information made explicitly public by state open records law, and available in incident reports searchable online.

But some entries from 2016 and 2017 include additional information, including officers’ verbatim notes detailing statements from witnesses and victims. And almost all of the entries from 2018 to May 12, 2022, when the data ends, contain officer narratives. That’s about 90,000 entries in all, although some appear to be duplicated in cases of where multiple offenses are reported.